Contact Us|Careers|Feedback|Login|Terms & Conditions
ProductsSolutionsServicesDINETEducationSupportAbout UsNewsGlobal Locations
Education > Automotive Security > Barriers to Adoption

Barriers to Adoption

Barriers

There are four main barriers to the automotive industry achieving the greatest benefit from security:

  • Lack of awareness at the right level within companies
  • The current CAs lack of awareness of the technical issues associated with OFTP2 security
  • Misperceptions based upon the positioning of existing network solutions.
  • Confusion as to the legal requirements

Certificate Costs

The high cost of certificates could be a major obstacle to the rapid uptake of OFTP2. The certificate costs imposed by existing CA’s could limit the growth of OFTP2 and may not allow flexible approaches for OEM supplier bases.

Certificate Usage

The OFTP2 mechanism for the use of certificates is alien to the current usage of certificates that are provided by the CA’s of today. Changes are required within existing CA infrastructures to accommodate the full spectrum of requirements that the automotive industry possesses.

Hardware Costs

For large companies, maintaining their own CA to issue certificates has a cost impact. They will have invariably left the CA creation to their specialist; at present even the lowest cost cryptographic hardware costs around 20,000 Euros.

ENX

ENX is a Virtual Private Network (VPN) that runs on top of the Internet infra-structure. Its mandate is to get data from one company to another company securely – not department to department, nor individual to individual.

Control by the industry

It is important that the automotive industry has control of key common services. Historically Ford, GM and Chrysler formed Covisint, but not long after it was spun off and split up. With ANX, ANXeBusiness Inc. acquired the rights to the ANX network from the Automotive Industry Action Group (AIAG) in 2001. Could the same thing happen to ENX?

Are the original requirements for ENX still valid?

A key original selling point of ENX was the ability to provide quality of service and bandwidth availability, but now as time has gone by both quality of service and bandwidth provided by the normal internet service providers have increased to the extent that the original requirement is no longer as much of a problem. New protocols such as OFTP2 now provide a secure internet protocol for the exchange of business sensitive data between partners.

Cost Issues

Compared to typical public internet access, the cost of the ENX network is high and prohibitive to many companies. Even some existing ENX users are now looking to secure transmissions over the public internet utilising protocols such as OFTP2 to overcome the complexity and cost issues related to ENX, JNX and ANX.

Is ENX an expensive European solution to a global problem?

ENX is primarily a European network, although ENX connections are available in some countries outside of Europe. The cost of ENX connections in South America is prohibitive to most suppliers. The equivalent secure network in the USA is called ANX, but it is interesting to note that there is no secure connection between the ENX and ANX networks thereby resulting in a purely European solution to secure business connections to a global automotive industry.

Connection to the ENX network is via routers provided and configured by ENX Internet Service Providers (ISP). Each company to company connection necessitates the need for a change to the routers configuration, which is managed by the small number of ENX ISP’s. The centralised nature of this environment provides a single point of failure which could result in the loss of the entire ENX network.

Proprietary OEM Certificates

Some OEM’s create certificates with non-standard content that is used by their internal applications. Suppliers must therefore use the certificates issued by the OEM and cannot use standardised certificates.

The consequence is that a supplier must maintain multiple certificates, but which ones, if any, are legal? Those acknowledged by a governmental organisation as being legal in the context of their usage are obviously legal. But where do self-signed certificates signed by a customer stand?

Does a certificate for a supplier or an entity within a supplier, signed by the customer have a meaning? The answer is “yes” for the customer and also “yes” for third parties if the customers root certificate is generally available and if the customer is regarded as trustworthy. This type of trust is a clique trust, i.e. a trust within a group of friends.

Conformance to Standards

The issue is also one of standards and conformance to standards. Being different can sometimes give a company a proprietary and commercial advantage, but in other cases being different can have an adverse effect which can negatively impact the industry as a whole.

Requirement Awareness

Any, if not most, security specialists in the OEMs have up to now only been required to focus upon the more traditional areas of certificate usage such as SSL/TLS and signed emails. Education is required to ensure that OEMs understand the full range of security features offered by OFTP2 and the implications upon the type of certificates required.

Trust

Among other things, it requires some root of trust. Somewhere in the system there must be one or more trusted parties; authorities that can then certify, using encryption, other, lesser entities. One very difficult question is, who should be the certifying authority?

Navigation
Automotive Security Automotive Security
The Requirement The Requirement
Legality Legality
The Environment The Environment
Certificates Certificates
The Solution The Solution
Barriers to Adoption Barriers to Adoption
Recommendations Recommendations
Download White Paper Download White Paper
CONTACT US

UK: +44 (0) 1733 371 311
Spain: +34 912686629
Sweden: +46 (0) 322 935 25


sales@di-international.com
Terms and Conditions | Copyright Data Interchange Plc 2010